Defending the Federal

Government from
Cyber Attacks
A Model Every Organization Can Learn From

HACKERONE 1
Introduction
The U.S. Department of Defense (DoD), in a first for the U.S.
Federal Government, invited white hat hackers to find security
flaws in systems run by the Pentagon, Air Force, and Army. What
they learned helped the DoD bolster their cyber defenses and
prove the benefits of hacker-powered security to a wide range of
government agencies and organizations like yours!

Hack Us!
In April 2016, the DoD took a bold step: they
launched the first bug bounty program in the history
of the Federal Government. It was just a month-long We need to understand where
program, but it was the start of a flurry of activity our weaknesses are in order to
from other government agencies who not only fix them, and there is no better
launched more hacker-powered security programs, way than to open it up to the
but published guidance on how to leverage this global hacker community.
powerful tool in the fight against cyber attacks.
CHRIS LYNCH
Today, agencies as diverse as the Federal Trade Director of Defense Digital Service
Commission, the Food and Drug Administration, Photo by Stephanie Dreyer

and the U.S. Air Force are recommending hacker-

powered security or using it internally to improve
their own security. And, theyre all serving as models
for how any organization, public or private, can use
hackers to make their systems, networks, hardware,
and software more secure.

HACKERONE 2
It Began with
Hack the Pentagon
Hack the Pentagon was a security initiative taken by the DoDs
Defense Digital Service (DDS) team. Launched as a bug bounty pilot
program, it gained support from then Secretary of Defense Ash
Carter, and, according to DDS, exceeded all expectations.
ASH CARTER
Hack the Pentagon was designed to identify and resolve security
Former U.S. Secretary of Defense
vulnerabilities within the Defense Departments public-facing
websites. The first report was submitted 13 minutes after launch,
and within 6 hours, that number grew to nearly 200.

Over the course of the 24-day program, more than 1,400 hackers
registered to participate, with 250 working to submit a new report
every 30 minutes on average. As part of the HackerOne program,
DDS leveraged HackerOnes triage services, which allowed the DDS
security team to focus on resolving valid reports.

SUPPORT FROM ABOVE What Hack the Pentagon

Such a rapid commitment to hacker-powered security would not validated is that there are large
have been possible without an unwavering belief in the power of numbers of technologists and
HackerOnes platform and talented community of hackers. innovators who want to make
contribution to our nations
By allowing outside researchers to find holes and vulnerabilities security, but lack a legal
on several sites and subdomains, we freed up our own cyber avenue to do so.
specialists to spend more time fixing them than finding them,
ERIC FANNING
said former Secretary of Defense, Ash Carter. The (program)
Former Secretary of the Army
showed us one way to streamline what we do to defend our
networks and correct vulnerabilities more quickly.

The DoD is trailblazing a path to make society safer, and has

taken the opportunity to be a leader in working with security
researchers. And with Hack the Pentagon, the DoD created
a model for others to follow, including other government
agencies. But it wouldnt have been deemed a success if the
results werent positive.

HACKERONE 3
STRONGER RESULTS
Of the valid reports submitted during Hack the Pentagon, 138
were found to be legitimate, unique and eligible for a bounty,
earning hackers a combined $75,000 in total bounty rewards.

TIME TO FIRST HACKERS REGISTERED

VULNERABILITY REPORT TO PARTICIPATE

13 MINUTES 1,410
REPORTS SUBMITTED
IN FIRST 6 HOURS BOUNTIES PAID

200 $75,000

The power of a bug bounty program lies in the large number of

diverse and highly skilled hackers looking at the code, and for Hack
the Pentagon, reports poured in from 44 states and from US expert
participants based as far away as Japan, Germany, and England.
There was even a wide range of ages participating, with the youngest
hacker to receive a bounty aged 14 and the oldest aged 53.

Over 138 unique software vulnerabilities were resolved. An SQL

Injection issue was the most severe and earned $3,500 as the
highest individual bounty. The average bounty was $588 with the
top earning hacker making a total of $15,000 from this program.

But Hack the Pentagon was just the beginning.

HACKERONE 4
Then Hack the Army
...and More TIME TO FIRST
VULNERABILITY REPORT

Within months of the successful Hack the Pentagon program, the DoD
expanded their relationship with HackerOne to extend 3 years and provide
5 MINUTES
hacker-powered security to multiple departments. Their next program,
ELIGIBLE HACKERS
Hack the Army, was driven by Secretary of the Army Eric Fanning. PARTICIPATING

As the most ambitious federal bug bounty program to date, Hack the
Army targeted operationally significant websites, including those mission
371
critical to recruiting. The program aimed to engage with the diverse talent TOTAL REPORTS
of the hacker community and supplement the existing security efforts of RECEIVED
the Army red teams and the DDS.
416
Running little more than 3 weeks, the programs results were nothing less
than spectacular. BOUNTIES PAID

Read more on our blog

$100,000

HACKERONE 5
HACKER CREATIVITY BEATS
AUTOMATION
Beyond the overall success of Hack the Army, an
Im done with being afraid to
extremely critical vulnerability was discovered by a
know what our vulnerabilities
hacker who creatively chained together a series of
are. Thats not okay.
bugs. Exploiting the combination of vulnerabilities
provided access to an internal DoD website that CHRIS LYNCH
should have required special credentials. An open Director of Defense Digital Service
proxy enabled access to the network, but only a
highly skilled hacker could recognize the several
independent flaws underlying the vulnerability.
Automation alone is rarely capable of such leaps
of logic, and likely would not have highlighted this
complex issue.

The Army remediation team, as well as the Army

Cyber Protection Brigade, acted fast to block any
further attacks and ensure there was no way to
exploit the chain of vulnerabilities.

VULNERABILITY DISCLOSURE:
MODERN APPLICATION SECURITY 101
Shortly after Hack the Army was announced, and in a first for the The return on investment is
U.S. government, the DoD introduced a Vulnerability Disclosure incredible, both in terms of
Policy (VDP) on HackerOne. The VDP gives hackers clear guidance cost and in terms of making
on how to legally test for and disclose vulnerabilities in DoDs government assets more
public-facing websites, including those outside of the other time- secure.
bound challenges.
HUNTER PRICE
In the past year, the DoD has thanked over 360 Director of Air Force Digital Service
hackers for disclosing potential vulnerabilities,
and has maintained an average time to first
response of just 2 days.

You can learn more and read their full vulnerability

disclosure policy here.

HACKERONE 6
Now Hack the Air Force
Next on the docket for the DoD was Hack the Air Force, which was their largest program
of the time and which expanded to include participants from partner nations Australia,
Canada, New Zealand, and the United Kingdom. As the biggest federal bug bounty
program to date, Hack the Air Force targeted operationally significant websites and
online services. The goal was to explore new approaches to security and to adopt the
best practices used by the most successful and secure software companies in the world.

Again, support from the top netted both awareness and validity to their hacker-
powered security efforts. The program was announced by Air Force Chief Information
Security Officer Peter Kim at HackerOne headquarters, with Kim disclosing that
this was the first time the Air Force opened its networks to such broad scrutiny.

We have malicious hackers trying to get into our systems every day, Kim added.
It will be nice to have friendly hackers taking a shot and, most importantly,
showing us how to improve our cybersecurity and defense posture. The
additional participation from our partner nations greatly widens the variety
of experience available to find additional unique vulnerabilities.

With programs like Hack the Air Force, the DoD is redefining American defenses
in the digital era. But, as with every new initiative, success relies on results.

Read more on our blog

It took just under a minute

for hackers to report the first
security vulnerability to the U.S.
Air Force. Twenty-five days later
when the Hack the Air Force bug
bounty challenge concluded,
207 valid vulnerabilities had
been discovered. Hackers will be
awarded more than $130,000 for
making the Air Force more secure.

HACKERONE 7
HIGH-FLYING RESULTS
Hack the Air Force instantly became the most
TIME TO FIRST
successful government-run, hacker-powered VULNERABILITY REPORT
security program in history, nearly doubling the
results of the first Hack the Pentagon program 1 MINUTE
from a year prior. Running for most of June
2017, the program resulted in 207 discovered ELIGIBLE HACKERS
vulnerabilities, the first of which was reported in PARTICIPATING

less than a minute. Within the first 24 hours, 70

reports were submitted, 23 of which were valid. 272
Kim and his team were more than prepared, with TOTAL VULNERABILITIES
DISCOVERED
some reports getting responses in less than a
minute. Over the 25-day program, the average
response time was 8 hours and the average time
207
to resolution during the challenge was just 4 days.
BOUNTIES PAID

$130,000
On the hacker side, 33 participants came from
outside the U.S., and a 17-year-old from Chicago
earned the largest total sum for 30 discoveries.

Adversaries are constantly attempting to

attack our websites, so we welcome a second
opinion and in this case, hundreds of second
opinions on the health and security of our online
infrastructure, said Kim. By engaging a global
army of security researchers, were better able to
assess our vulnerabilities and protect the Air Forces
efforts in the skies, on the ground and online.
The ideal end-state is that bug bounties
With the unprecedented success of the Air
become a regular, common tool in securing all
Force bug bounty pilot program, coupled with
IT assets across the Department of Defense.
the success of Hack the Pentagon and Hack
We will always have security vulnerabilities.
the Army, the DoD has plans for at least 17
We can approach that reality of one of two
more hacker-powered security events.
ways: we can deny it, or we can be proactive,
Beyond the DoD, the success of these and other open to it and use every tool in our toolbox to
programs has not only legitimized hacker-powered remediate or mitigate them.
security, its created a flood of support for bug HUNTER PRICE
bounty and vulnerability disclosure programs. Director of Air Force Digital Service

HACKERONE 8
Expanding Across
the Federal
Government
Automotive industry members should
consider creating their own vulnerability
report/disclosure polities, or adopting
polities used in other sectors or in technical
As hacker-powered security takes hold in the private standards. Such polities would provide any
sector, government entities are following the DoDs external cybersecurity researcher with
lead in expanding the use of these valuable programs. guidance on how to disclose vulnerabilities
The entry point for most organizations are vulnerability to organizations that manufacture and
disclosure policies and programs designed to help design vehicle systems.
improve security and reduces risk.
NATIONAL HIGHWAY TRAFFIC SAFETY
In keeping with the government angle, VDPs are ADMINISTRATION (NHTSA)
often compared to the U.S. Department of Homeland Cybersecurity Best Practices for Modern Vehicles
Securitys If You See Something, Say Something
program, which implores citizens to alert authorities
when they see something you know shouldnt be
there. VDPs serve the same purpose by giving people a
way to report the something that seems amiss.
(Medical device) Manufacturers
Since software, hardware, and other cyber security
should adopt a coordinated vulnerability
issues generally require a high level of technical
disclosure policy.
expertise to even notice, let alone understand, those
who see the issues often have the skills to also exploit FOOD AND DRUG ADMINISTRATION (FDA)
them, if they so choose. While some see VDPs as a Management of Cybersecurity in Medical Devices

fast-track to finding and fixing vulnerabilities, others

especially many in conservative government agencies
see it as inviting unknown actors with unknown
motivations to snoop around websites and products.

But more and more federal entities are beginning to

embrace ethical hackers, and are even pushing
public- and private-sector organizations to actively
consider and implement VDPs. The National
Telecommunications and Information Association
(NTIA) organized a multi-stakeholder process for
Coordinated Vulnerability Disclosures. The Federal
Trade Commission (FTC) released a Start with
Security guide, which recommends implementation of
a VDP. And the Cybersecurity Unit of the Department
of Justice developed a framework for VDPs.
The lesson for other business? Have an
effective process in place to receive and
address security vulnerability reports.
Consider a clearly publicized and effective
channel (for example, a dedicated email
address like security(@) your company.com)
for receiving reports and flagging them for
your security staff.
FEDERAL TRADE COMMISSION (FTC)
Start with Security

HACKERONE 9
PUBLIC OR PRIVATE,
VDPS ARE TABLE STAKES
The expectation of implementing a VDP has grown to include ISO/IEC 29147, which
specifically covers vulnerability disclosures. The standard provides guidelines for vendors
on how to receive information about potential vulnerabilities, how to disseminate resolution
information, and provides examples of content that should be included in a policy.

All of this and more has led private-sector companies like Adobe, General Motors, and
New Relic to leverage VDPs to improve their security posture. Some of these programs
collect hundreds of bug reports per quarter, with up to two-thirds of those reports
being confirmed as valid and previously-unknown, which are subsequently fixed.

But not everyone is working to close their security gaps. According to the Hacker-
Powered Security Report 2017, 94 percent of the Forbes Global 2000 do not have known
vulnerability disclosure policies, even with prodding from government agencies.

STRIKE BACK WITH BUG BOUNTIES

After implementing a VDP, the next step in utilizing hacker-powered security is a
bug bounty program. These programs are exploding across nearly every private-
sector industry, with close to 50,000 security vulnerabilities being resolved by
customers on HackerOne since 2014, and over 20,000 in 2016 alone. In total,
customers on HackerOne have paid out more than $20 million in bug bounties.

Growth in the public sector is slower, but growing. The General Service
Administrations Technology Transformation Service (TTS) recently launched
the first bug bounty program administered by a civilian federal agency. By taking
the learnings of the DoDs time-bound programs, TTS created an ongoing
bounty program more typical of non-governmental organizations.

In their first month, TTS paid out nearly $7,000 in bounties for
19 resolved reports. They thanked 15 hackers in that same
time, with individual bounties ranging from $150 to $2,000.

HACKERONE 10
Getting Your Organization
Started
Putting a VDP in place is the first step in leveraging hacker-powered security for any
organization, regardless if its a small private company, a large global enterprise, or a
government entity. Then, move on to time-bound bounties, hacker-powered alternatives
to penetration tests, or a continuous bounty program.

FIRST, PUBLISH A VDP

To get started, check out HackerOnes VDP Basics, a complete guide for crafting an
effective vulnerability disclosure policy. Or, learn more about HackerOne Response,
a turnkey solution to help organizations receive, respond to, and resolve security
vulnerabilities discovered by third-parties.

NEXT, DIP INTO BOUNTIES

Time-bound programs, like Hack the Pentagon, offer an alternative to traditional
penetration testing. HackerOne Challenge provides a private, turnkey program with
a focused scope and a finite length. Its an easy way to dip a toe into hacker-powered
security, and its cost-effective: hackers are paid for valid results, not man-hours. That
means hackers are incentivized to find the issues with the biggest bounties, which
directly correlates to the most value to you and to them.

HOW IT WORKS

WEEK 1 WEEK 2-3 WEEK 4

Define scope, Test application, Deliver report,

invite hackers triage bugs review results

The typical HackerOne Challenge is a discreet, one month engagement with HackerOnes
best hackers, and comes with a detailed summary report with complete results.

HACKERONE 11
Start Your
Hacker-Powered
Security Journey
Today

REQUEST A HACKERONE DEMO

Peter E. Kim, CISO U.S. Air Force HACKERONE 12

Photo taken at HackerOnes San Francisco Headquarters